Skip to content

Commit

Permalink
Fixed issue: Missing CSRF protection
Browse files Browse the repository at this point in the history 
Dev Can now be enabled in LSYii_Application.php. Its currently deactivated as it is mostly untested.
Dev New HttpRequest class enables exceptions for certain POST requests (like AJAX)
  • Loading branch information
@c-schmitz
c-schmitz committed Dec 4, 2012
1 parent e87cf6a commit edadb69
Show file tree
Hide file tree
Showing 6 changed files with 81 additions and 14 deletions.
3 changes: 0 additions & 3 deletions application/config/config-sample-mysql.php
View file
Expand Up @@ -55,9 +55,6 @@
'rules' => require('routes.php'),
'showScriptName' => true,
),
'request'=>array(
'enableCsrfValidation'=>false, // Set this to true to enable CSRF protection. This is a new feature - please report any problems.
),
// Use the following config variable to set modified optional settings copied from config-defaults.php
'config'=>array(
// debug: Set this to 1 if you are looking for errors. If you still get no errors after enabling this
Expand Down
4 changes: 1 addition & 3 deletions application/config/config-sample-pgsql.php
View file
Expand Up @@ -56,9 +56,7 @@
'rules' => require('routes.php'),
'showScriptName' => true,
),
'request'=>array(
'enableCsrfValidation'=>false, // Set this to true to enable CSRF protection. This is a new feature - please report any problems.
),

),
// Use the following config variable to set modified optional settings copied from config-defaults.php
'config'=>array(
Expand Down
3 changes: 0 additions & 3 deletions application/config/config-sample-sqlsrv.php
View file
Expand Up @@ -56,9 +56,6 @@
'rules' => require('routes.php'),
'showScriptName' => true,
),
'request'=>array(
'enableCsrfValidation'=>false, // Set this to true to enable CSRF protection. This is a new feature - please report any problems.
),

),
// Use the following config variable to set modified optional settings copied from config-defaults.php
Expand Down
17 changes: 13 additions & 4 deletions application/controllers/InstallerController.php
View file
Expand Up @@ -940,6 +940,18 @@ function _writeConfigFile()
extract(self::_getDatabaseConfig());
$sDsn = self::_getDsn($sDatabaseType, $sDatabaseLocation, $sDatabasePort, $sDatabaseName, $sDatabaseUser, $sDatabasePwd);

// mod_rewrite existence check
// Section commented out until a better method of knowing whether the mod_rewrite actually
// works is found. In the meantime, it is better to set $showScriptName to 'true' so it
// works on all installations, and allow users to change it manually later.
//if ((function_exists('apache_get_modules') && in_array('mod_rewrite', apache_get_modules())) || strtolower(getenv('HTTP_MOD_REWRITE')) == 'on')
//{
// $showScriptName = 'false';
//}
//else
//{
$showScriptName = 'true';
//}
if (stripos($_SERVER['SERVER_SOFTWARE'], 'apache') !== false)
{
$sURLFormat='path';
Expand Down Expand Up @@ -1026,11 +1038,8 @@ function _writeConfigFile()
."\t\t" . "'urlManager' => array(" . "\n"
."\t\t\t" . "'urlFormat' => '{$sURLFormat}'," . "\n"
."\t\t\t" . "'rules' => require('routes.php')," . "\n"
."\t\t\t" . "'showScriptName' => true," . "\n"
."\t\t\t" . "'showScriptName' => $showScriptName," . "\n"
."\t\t" . ")," . "\n"
."\t\t" . "'request'=>array(" . "\n"
."\t\t\t" . "'enableCsrfValidation'=>false, // Set this to true to enable CSRF protection. This is a new feature - please report any problems.". "\n"
."\t\t" . "),"
."\t" . "" . "\n"

."\t" . ")," . "\n"
Expand Down
55 changes: 55 additions & 0 deletions application/core/HttpRequest.php
View file
@@ -0,0 +1,55 @@
<?php
/*
* LimeSurvey
* Copyright (C) 2007-2011 The LimeSurvey Project Team / Carsten Schmitz
* All rights reserved.
* License: GNU/GPL License v2 or later, see LICENSE.php
* LimeSurvey is free software. This version may have been modified pursuant
* to the GNU General Public License, and as distributed it includes or
* is derivative of works licensed under the GNU General Public License or
* other free or open source software licenses.
* See COPYRIGHT.php for copyright notices and details.
*/


/**
* Description of HttpRequest
*
*
* Used in LSYii_Application.php
* <pre>
* 'request'=>array(
* 'class'=>'HttpRequest',
* 'noCsrfValidationRoutes'=>array(
* '^services/wsdl.*$'
* ),
* 'enableCsrfValidation'=>true,
* 'enableCookieValidation'=>true,
* ),
* </pre>
*
* Every route will be interpreted as a regex pattern.
*
*/
class HttpRequest extends CHttpRequest {
public $noCsrfValidationRoutes = array();

protected function normalizeRequest(){
parent::normalizeRequest();

if($_SERVER['REQUEST_METHOD'] != 'POST') return;

$route = Yii::app()->getUrlManager()->parseUrl($this);
if($this->enableCsrfValidation){
foreach($this->noCsrfValidationRoutes as $cr){
if(preg_match('#'.$cr.'#', $route)){
Yii::app()->detachEventHandler('onBeginRequest',
array($this,'validateCsrfToken'));
Yii::trace('Route "'.$route.' passed without CSRF validation');
break; // found first route and break
}
}
}
}

}
13 changes: 12 additions & 1 deletion application/core/LSYii_Application.php
View file
@@ -1,4 +1,4 @@
<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
<?php
/*
* LimeSurvey
* Copyright (C) 2007-2011 The LimeSurvey Project Team / Carsten Schmitz
Expand Down Expand Up @@ -77,6 +77,17 @@ public function __construct($config = null)
$config['components']['db']['enableParamLogging'] = true;
}
}

$config['components']['request']=array(
'class'=>'HttpRequest',
'noCsrfValidationRoutes'=>array(
// '^services/wsdl.*$' // Set here additional regex rules for routes not to be validate
'getTokens_json'
),
'enableCsrfValidation'=>false, // Enable to activate CSRF protection
'enableCookieValidation'=>false // Enable to activate cookie protection
);

parent::__construct($config);
// Load the default and environmental settings from different files into self.
$ls_config = require(APPPATH . DIRECTORY_SEPARATOR . 'config' . DIRECTORY_SEPARATOR . 'config-defaults.php');
Expand Down

0 comments on commit edadb69

Please sign in to comment.